OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: 8191 on August 15, 2016, 01:37:04 pm

Title: DNS override with source IP "hides" DNS server from LAN
Post by: 8191 on August 15, 2016, 01:37:04 pm

I've discovered a weird problem with the DNS forwarder's override feature, when using the "Source IP" field for the override definition: OPNsense adds a static route for the DNS server configured in the override using the "Source IP" as a gateway (i.e. itself). This now allows the DNS forwarder to reach the DNS server using the "Source IP", but also has a weird implication to all other hosts behind the OPNsense trying to reach the DNS server: they believe the DNS server is in the same subnet as themselves, since OPNsense is sending an ICMP redirect triggered by the static route.

I think an example shows more than all the explanation:

LAN IP: (re0)
IPsec tunnel to: (via re2, WAN)
DNS override of dnsmasq: (=Source IP:
Route added by OPNsense: via re0

Host wants to reach sends IP packet to OPNsense (IP dest=, is def. gw.); OPNsense responds with ICMP redirect to re0; sends ARP request for to its subnet (, which obviously never gets answered.